[cifs-protocol] [EXTERNAL] [MS-OAPXBC] Incorrect session key instructions
David Mulder
dmulder at samba.org
Thu Jan 25 16:54:14 UTC 2024
On 1/25/24 9:45 AM, David Mulder wrote:
>
>
> On 1/25/24 9:41 AM, Sreekanth Nadendla wrote:
>> Hello David, the data obtained after base64url decode is the key in
>> encrypted form. You would use the machine transport key to decrypt
>> this to obtain the pop key you need. Can you check if this works?
> That's exactly the problem. It can't be decrypted using the transport
> key. The number of bytes is too long. The CEK returned by MS appears
> to be corrupted (or a buffer overrun on your side, we're not sure).
For example:
> python3
>>> from cryptography.hazmat.primitives import serialization
>>> from cryptography.hazmat.primitives.asymmetric import padding
>>> from cryptography.hazmat.primitives import hashes
>>> transport_key = serialization.load_der_private_key(b'<redacted>', None)
>>> session_key_jwe =
"eyJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAifQ.Lwx1oUwtrOVhZoHkPlNCVfvmInTIVfkpY4daNtS7fiL-dL-G2pgnSbCG23vwmk8VF9dbQPKkN4ERiWsXA8hjaZPE4XcWsylUrbT65hyO3U_r3nXLGxAYX06rRP21L8ak1qoFAl9wodJI30yHmBqYdsrO3BNa0QRXNmvliRF1fNnvzuRj5VQiqFi78-8as7rwKtUQ117R11q3EvaoYgwQUJS1JdDAiRDRHuVpVmfH8Gf279EpRuhKlyEN1gtjXCcK1U9cj3Oco47JeS3AuCZOrU0Q0rRSt0hWBFC21mLxqQ64hXTG3NOb5O-DFoN7sIf7vDBdQloZ2Sxq5gDVdegfmcsKTnjD3nooJIOuT8mmCyTeqdHlio-sYNBm0QzSsLPP3Dngl1bK.yLJM5ZkeigtBz5Cl.TA.lBRRBpOedY0K62Ti7jDqNA"
>>> encKey = base64.urlsafe_b64decode(session_key_jwe_parts[1]+'==')
>>>
>>> transport_key.decrypt(encKey,
padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA1()),
algorithm=hashes.SHA1(), label=None))
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File
"/usr/lib64/python3.11/site-packages/cryptography/hazmat/backends/openssl/rsa.py",
line 444, in decrypt
raise ValueError("Ciphertext length must be equal to key size.")
ValueError: Ciphertext length must be equal to key size.
--
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20240125/aeadd269/attachment.htm>
More information about the cifs-protocol
mailing list